Firewall opinions wanted please
bill
bmanning at karoshi.com
Wed Mar 17 17:57:35 UTC 2004
>
>
> On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:
> > > > The best option I guess is to figure out how important it is for you to have a firewall,
> > >
> > > _Everyone_ (network connected) should have a firewall. My grandma should
> > > have a firewall. Nicole, holding dominion over this business network and
> > > its critical infrastructure, should _definitely_ have a firewall. ;)
> > >
> > Why? When did the end2end nature of the Internet suddenly
> > sprout these mutant bits of extra complexity that reduce
> > the overall security of the 'net?
> >
> > Two questions asked, Two answers are sufficent.
>
> Nope. One will do it. The day the first remote exploit or condition,
> in protocol or application, that could potentially have given rise to such
> and exploit made it possible for a user not in your control to gain control
> of your box(en), firewalling became necessary.
Ah, so back in 1979. Three (well two and a half, roughly)
decades between making fundamental design choices on how
protocols vs folks trying to do the right thing in the wrong
place.
> Then Internet is not exactly
> end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the
> notion of "end-to-end" requires preservation of a connection between 2
> consenting hosts, and preservation includes securement of that connection
> against destructive mechanisms, which includes the subversive techniques and
> intercetptions commonly associated with network security.
Here we have some disagreement. Network Security is protecting
the infrastructures ability to deliver bits and has nothing to
do w/ end systems per se.
> Firewalls are logical interventions, costing as little as some processor
> overhead. Dedicated appliances are only one deployment. Filters on
> routers also qualify as firewalls. Am I correct in understanding that you
> feel edge filtering is mutant lunacy and unnecessary complexity?
Please include the OPEX costs. And you have ignored the
IAB plea for having filtering done as a temporary expdient
as a way to encourage new application/feature development.
And yes, the need to perform edge filtering is symtematic of
a cultural problem. We have sociopaths in the community that
drive normally sane people to do perverse things.
So yes, mutant lunacy and unDESIRABLE complexity.
> Regarding dedicated firewalls, please see Mr. Bellovin's previous post
> regarding appropriate and competent administration. The lack thereof
> presents the complication, not the countermeasure itself.
Amen. See above. From a systems perspective, adding yet
one more level of management/administration decreases the
efficentcy and robustness of the overall system. From a
"security" perspective, another attack point!
> As for your assertion that firewalls "reduce the overall security of the
> 'net."...can you please elaborate on that, as well? Other factions might/do
> argue that it's the other team refusing to lock their doors at night that
> are perpetuating the flux of bad behavior as a close second to the ignorant
> and infected.
See above.
>
> --ra
>
> --
> k. rachael treu, CISSP rara at navigo.com
> ..quis costodiet ipsos custodes?..
> >
> > --bill
>
>
More information about the NANOG
mailing list